river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Hobbs <tvho...@googlemail.com>
Subject Re: Jtreg test suite certificates
Date Mon, 06 Feb 2012 08:56:20 GMT
Well done, Peter.  You're a serious work horse on River and we're
grateful for what you're getting done.

Cheers.

On Mon, Feb 6, 2012 at 7:23 AM, Peter Firmstone <jini@zeus.net.au> wrote:
> Peter Firmstone wrote:
>>
>> Good news,
>>
>> It's fixed!  Turns out cloning the existing valid certs was a bad idea,
>> the keystore got confused and returned the wrong cert, that's all the
>> problem was.  Generating keys and certs is now an automated script too, it
>> works (at least on Solaris).
>>
>> Perhaps in February 2022, when the certs need to be regenerated again, I
>> can be as helpful for the next guy as you were for me ;)
>>
>> N.B. Running the jtreg tests helped me fix a couple of concurrency bugs
>> and some corner cases in my new policy provider,
>
>
> Just to clarify the concurrency bugs weren't in the policy provider, only
> the corner cases, which dealt with policy delegation and something else I
> can't remember right now.
>
>
>> so these tests are still of high value.  Oh and the jtreg scripts are now
>> Java 6 compatible.
>>
>> Now all I have to do is go run all the jtreg and qa tests again and see if
>> I've broken anything!
>>
>> Cheers & thanks,
>>
>> Peter.
>>
>> bash-3.00$ ant jtreg
>> Buildfile: build.xml
>>
>> jtreg:
>>   [mkdir] Created dir:
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>>    [move] Moving 6 files to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>>    [move] Moving 1 file to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>>   [jtreg] Test results: passed: 1
>>   [jtreg] Report written to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTreport/html/report.html
>>   [jtreg] Results written to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTwork
>>    [move] Moving 6 files to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib
>>    [move] Moving 1 file to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib-ext
>>  [delete] Deleting directory
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>>  [delete] Deleting:
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/test.props
>>
>> BUILD SUCCESSFUL
>> Total time: 1 minute 25 seconds
>>
>> bash-3.00$ keystore.sh
>> + rm ./keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias clientDSA -dname CN=clientDSA -keyalg DSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias clientRSA1 -dname CN=clientRSA1, C=US -keyalg
>> RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias clientRSA2 -dname CN=clientRSA2 -keyalg RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias serverDSA -dname CN=serverDSA, C=US -keyalg
>> DSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias serverRSA -dname CN=serverRSA -keyalg RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias noPerm -dname CN=noPerm -keyalg DSA
>> + rm ./truststore
>> + cp ./keystore ./truststore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias notTrusted -dname CN=notTrusted -keyalg RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias clientDSA2 -dname CN=clientDSA2 -keyalg DSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -certreq -alias clientDSA2 -file clientDSA2.request
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -genkey -alias clientDSA2expired -dname CN=clientDSA2 -keyalg
>> DSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -certreq -alias clientDSA2expired -file
>> clientDSA2expired.request
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias serverRSA2 -dname CN=serverRSA2 -keyalg RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -certreq -alias serverRSA2 -file serverRSA2.request
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -genkey -alias serverRSA2expired -dname CN=serverRSA2 -keyalg
>> RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -certreq -alias serverRSA2expired -file
>> serverRSA2expired.request
>> + set +x
>> Sign clientDSA2.req, serverRSA2.req, clientDSA2expired.req and
>> serverRSA2expired.req, then import them:
>> expired certificates need one day to expire before testing.
>> + ../../../../../certs/run-ca.sh -CA ./ca.properties
>> + ../../../../../certs/run-ca.sh -CA ./ca1.properties
>> + ../../../../../certs/run-ca.sh -CR ./ca.properties
>> + ../../../../../certs/run-ca.sh -CR ./ca1.properties
>> + ../../../../../certs/run-ca.sh -CR ./serverRSA2expired.properties
>> + ../../../../../certs/run-ca.sh -CR ./clientDSA2expired.properties
>> + keytool -keystore ./truststore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias ca -file ca.cert
>> Certificate was added to keystore
>> + keytool -keystore ./truststore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert
>> Certificate was added to keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias ca -file ca.cert
>> Certificate was added to keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert
>> Certificate was added to keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias clientDSA2 -file clientDSA2.chain
>> Certificate reply was installed in keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -import -noprompt -alias clientDSA2expired -file
>> clientDSA2expired.chain
>> Certificate reply was installed in keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias serverRSA2 -file serverRSA2.chain
>> Certificate reply was installed in keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -import -noprompt -alias serverRSA2expired -file
>> serverRSA2expired.chain
>> Certificate reply was installed in keystore
>> bash-3.00$
>>
>> Tim Blackman wrote:
>>>
>>> On Feb 5, 2012, at 12:44 AM, Peter Firmstone wrote:
>>>
>>>
>>>>
>>>> Well, here's the bad news; the certificate has expired, but the tests
>>>> still fail.  This is the first time these tests have been run under jdk
1.6,
>>>> to my knowledge at least.
>>>>
>>>> The test expects jeri to throw a ConnectIOException, but it doesn't.
>>>>
>>>> The good news is, when the server certificate has expired, an
>>>> IOException is thrown as expected.  I have to comment out:  "throw new
>>>> FailedException(" in TestRMI for the expired client test, or FailedException
>>>> will be thrown before the expired server certificate is is tested.
>>>>
>>>> This could indicate the ServerAuthManager could have a problem, since
>>>> the ClientAuthManager is behaving correctly?
>>>>
>>
>>
>

Mime
View raw message